Company app distribution for Windows Phone

In this article

[ This article is for Windows Phone 8 developers. If you’re developing for Windows 10, see the latest documentation. ]

Users tap the Company Hub app XAP to install the Company Hub.

Users launch the Company Hub and use it to discover, install, and launch company apps.

Understanding company app enrollment

After a user enrolls a phone for company app distribution, the AET is installed to a secure data store on the phone. Once a day, the phone sends the Publisher ID from the AET to a Microsoft service that confirms that the company account is still valid.

During the following scenarios, the phone automatically attempts to validate the AET:

During the initial enrollment process.

Before an attempt to install an app published and signed by the company.

Before an attempt to start a company app that is installed on the phone.

When the phone contacts the Microsoft service to determine whether the company account is still valid.

The validation of the AET includes a signature validation, a certificate chain validation to a specific root certificate, and a date check on the validity period of the certificate. If the AET fails to validate during any of these scenarios, the task associated with the scenario fails.

After a user manually enrolls a phone for company app distribution by tapping an AET.aetx file on their phone, the phone is automatically enrolled for as long as the certificate is valid (one year). After enrolling for company app distribution by this process, users cannot unenroll their phone by using the phone UI.

Best practices

Microsoft recommends that companies adhere to the following guidelines:

If the enterprise certificate is protected with a private key, store the private key securely.

Note

Windows Phone does not currently support using an HSM (hardware security module) for storing the private key.

If the AET or Company Hub XAP is distributed to users of unmanaged phones via email, apply IRM protection to the email.